arXiv:1501.01549vl [quant-ph] 7 Jan 2015 


Quantifying the Leakage of Quantum Protocols 
for Classical Two-Party Cryptography* 


Louis Salvail 1 , Christian Schaffner 2,3 , and Miroslava Sotakova 4 

1 Universite de Montreal (DIRO), QC, Canada 
salvailOiro.umontreal.ca 

2 Institute for Logic, Language and Computation (ILLC) 
University of Amsterdam, The Netherlands 

c.schaffner@uva.nl 

3 Centrum Wiskunde & Informatica (CWI), Amsterdam, The Netherlands 
4 Knewton, Inc, NY, USA 
gwhitehawk@gmail.com 


Abstract. We study quantum protocols among two distrustful parties. By adopt¬ 
ing a rather strict definition of correctness—guaranteeing that honest players obtain 
their correct outcomes only—we can show that every strictly correct quantum pro¬ 
tocol implementing a non-trivial classical primitive necessarily leaks information to 
a dishonest player. This extends known impossibility results to all non-trivial prim¬ 
itives. We provide a framework for quantifying this leakage and argue that leakage 
is a good measure for the privacy provided to the players by a given protocol. Our 
framework also covers the case where the two players are helped by a trusted third 
party. We show that despite the help of a trusted third party, the players cannot 
amplify the cryptographic power of any primitive. All our results hold even against 
quantum lionest-but-curious adversaries who honestly follow the protocol but pu¬ 
rify their actions and apply a different measurement at the end of the protocol. As 
concrete examples, we establish lower bounds on the leakage of standard universal 
two-party primitives such as oblivious transfer. 

Keywords: two-party cryptography, quantum protocols, quantum information the¬ 
ory, information leakage. 


1 Introduction 

Quantum communication allows to implement tasks which are classically impossible. The 
most prominent example is quantum key distribution |BB84| where two honest players es¬ 
tablish a secure key against an eavesdropper. In the two-party setting however, quantum 
and classical cryptography often show similar limits. Oblivious transfer |Lo97| . bit commit¬ 
ment |May97ILC97] . and even fair coin tossing |Kit03| are impossible to realize securely 
both classically and quantumly. On the other hand, quantum cryptography allows for some 
weaker primitives impossible in the classical world. For example, quantum coin-flipping pro¬ 
tocols with maximum bias of ^ exis1@ against any adversary |CK091 while remaining 

impossible based solely on classical communication. A few other weak primitives are known 
to be possible with quantum communication. For example, the generation of an additive 

* A previous version of this article as appeared at ASIACRYPT 2009 ISSS091 . 

5 In fact, protocols with better bias are known for weak quantum coin flip¬ 
ping [Moc04IMoc05IMoc07] . 


















secret-sharing for the product xy of two bits, where Alice holds bit x and Bob bit y : has 
been introduced by Popescu and Rohrlich as machines modeling non-signaling non-locality 
(also called NL-boxes) |PR94j . If Alice and Bob share an EPR pair, they can simulate an 
NL-box with symmetric error probability sin 2 | |PR94lBLM + 05j . Equivalently, Alice and 
Bob can implement l-out-of-2 oblivious transfer (1-2-Ot) privately provided the receiver 
Bob gets the bit of his choice only with probability of error sin 2 ^ |Amb05j . It is easy to 
verify that even with such imperfection these two primitives are impossible to realize in the 
classical world. This discussion naturally leads to the following question: 


— Which two-party cryptographic primitives are possible to achieve using quantum com¬ 
munication? 


Most standard classical two-party primitives have been shown impossible to implement 
securely against weak quantum adversaries reminiscent to the classical honest-but-curious 
(HBC) behavior |; Lo971 . The idea behind these impossibility proofs is to consider parties that 
purify their actions throughout the protocol execution. This behavior is indistinguishable 
from the one specified by the protocol but guarantees that the joint quantum state held by 
Alice and Bob at any point during the protocol remains pure. The possibility for players to 
behave that way in any two-party protocol has important consequences. For instance, the 
impossibility of quantum bit commitment follows from this fact |May97|LC97j : After the 
commit phase, Alice and Bob share the pure state \ip x ) £ 'Ha ®H-b corresponding to the 
commitment of bit x. Since a proper commitment scheme provides no information about 
x to the receiver Bob, it follows that tr^ |^°)(^°| = trq In this case, the Schmidt 

decomposition guarantees that there exists a unitary Uo,i acting only on Alice’s side such 
that |t/A) = (I/o,i ® Is)|i/ , °}. In other words, if the commitment is concealing then Alice can 
open the bit of her choice by applying a suitable unitary transform only to her part. A similar 
argument allows to conclude that 1-2-OT is impossible [Lo97l : Suppose Alice is sending the 
pair of bits (6 0 , fq) to Bob through 1-2-OT. Since Alice does not learn Bob’s selection bit, it 
follows that Bob can get bit b 0 before undoing the reception of b Q and transforming it into 
the reception of b\ using a local unitary transform similar to f7o,i for bit commitment. For 
both these primitives, privacy for one player implies that local actions by the other player 
can transform the honest execution with one input into the honest execution with another 
input. 

In this paper, we investigate the cryptographic power of two-party quantum protocols 
against players that purify their actions while trying to implement a classical primitive. This 
quantum honest-but-curious (QHBC) behavior is the natural quantum version of classical 
HBC behavior. This class of adversaries was recently called (perfectly) specious in |DNS10j . It 
contains all adversaries that could prove to a judge, at any step during a protocol execution, 
that the joint state (up to an adversary’s local computation) is the honest one. We consider 
classical primitives providing Alice and Bob with random variable X and Y respectively 
according distribution Px,y ■ Any such Px.y models a two-party cryptographic primitive 
where neither Alice nor Bob provide input. For the purpose of this paper, this model is 
general enough since any two-party primitive with inputs can be randomized (Alice and 
Bob pick their input at random) so that its behavior can be described by a suitable joint 
probability distribution Px,Y- If the classical primitive with inputs f:AxBy-WxZ 
is implemented securely by some protocol 7 Tf then it must also remain secure when Alice’s 
and Bob’s private input (a, b) A x B is picked uniformly at random. In this case, the 
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joint probability distribution Px.y implemented by ttj is simply: 


Px,Y((a,w), (b, z)) 


Pr (f{a, b) = (w,z)) 
\A\-\B\ 


If the randomized version Px.y is shown to be impossible to implement securely by any 
quantum protocol then the original primitive with inputs must also be impossible. 

Any quantum protocol implementing Px.y must produce, when both parties purify their 
actions, a joint pure state | ip) £ Baa' ®Bbb’ that, when subsystems of A and B are 
measured in the computational basis, leads to outcomes X and Y according the distribution 
Px.y ■ Notice that the registers A! and B' only provide the players with extra working space 
and, as such, do not contribute to the output of the functionality (so parties are free to 
measure them the way they want). In this paper, we adopt a somewhat strict point of view 
and define a quantum protocol 7 r for Px.y to be strictly correct if and only if the correct 
outcomes X , Y are obtained and the registers A! and B' do not provide any additional 
information about Y and X respectively since otherwise 7r would be implementing a different 
primitive Pxx'.yy 1 rather than Px.y- The state \ip) produced by any strictly correct protocol 
for Px,y is what we call a quantum embedding of Px.y- An embedding is called regular if 
registers A' and B' are empty. Any embedding \tjj) £ Baa' ®Bbb’ can be produced in 
the QHBC model by the trivial protocol asking Alice to generate | ip) before sending the 
quantum state in Bbb > to Bob. It follows that in the QHBC model, any embedding of Px.y 
corresponds to a strictly correct protocol and, since any protocol implementing Px.y can be 
purified in the bare model, any strictly correct protocol generates some embedding of Px.y 
in the QHBC model. 

Notice that if X and Y were provided privately to Alice and Bob—through a trusted 
third party for instance—then the expected amount of information one party gets about the 
other party’s output is minimal and can be quantified by the Shannon mutual information 
I(X;Y) between X and Y. Assume that | t/j) £ Baa’ ®Bbb’ is an embedding of Px.y 
produced by a strictly correct quantum protocol. We define the leakage of | ijj) as 


A,s, := max { S(X- BB') - I(X ; Y ), S{Y- AA') - I(Y- X) } , (1) 


where S(X'BB') (resp. S(Y;AA')) is the information the quantum registers BB' (resp. 
AA') provide about the output X (resp. Y). That is, the leakage is the maximum amount of 
extra information about the other party’s output given the quantum state held by one party. 
It turns out that S(X;BB') = S(Y;AA') holds for all embeddings, exhibiting a symmetry 
similar to its classical counterpart I(X-Y) = I(Y;X ) and therefore, the two quantities we 
are taking the maximum of in © coincide. 


1.1 Contributions 

Our first contribution establishes that the notion of leakage is well behaved. We show that 
the leakage of any embedding for Px.y is lower bounded by the leakage of some regular 
embedding of the same primitive. Thus, in order to lower bound the leakage of any strictly 
correct implementation of a given primitive, it suffices to minimize the leakage over all its 
regular embeddings. We also show that the only non-leaking embeddings are the ones for 
trivial primitives, where a primitive Px.y is said to be (cryptographically) trivial if it can 
be generated by a classical protocol against HBC adversaries^]. It follows that any quantum 

6 We are aware of the fact that our definition of triviality encompasses cryptographically interesting 
primitives like coin-tossing and generalizations thereof for which highly non-trivial protocols 
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protocol implementing a non-trivial primitive Px,y must leak information under the sole 
assumption that it produces ( X , Y) with the right joint distribution. This extends known 
impossibility results for two-party primitives to all non-trivial primitives. 

Embeddings of primitives arise from protocols where Alice and Bob have full control 
over the environment. Having in mind that any embedding of a non-trivial primitive leaks 
information, it is natural to investigate what tasks can be implemented without leakage with 
the help of a trusted third party. The notion of leakage can easily be adapted to this scenario. 
We show that no cryptographic two-party primitive can be implemented without leakage 
with just one call to the ideal functionality of a weaker primitively. This new impossibility 
result does not follow from the ones known since they all assume that the state shared 
between Alice and Bob is pure. 

We then turn our attention to the leakage of strictly correct protocols for a few concrete 
universal primitives. From the results described above, the leakage of any strictly correct 
implementation of a primitive can be determined by finding the (regular) embedding that 
minimizes the leakage. In general, this is not an easy task since it requires to find the eigen¬ 
values of the reduced density matrix pa = tr# \ip)(if>\ (or equivalently ps = tr^ As 

far as we know, no known results allow us to obtain a non-trivial lower bound on the leakage 
(which is the difference between the mutual information and accessible information) of non¬ 
trivial primitives. One reason being that in our setting we need to lower bound this difference 
with respect to a measurement in one particular basis. However, when Px,y is such that 
the bit-length of either X or Y is short, the leakage can be computed precisely. We show 
that any strictly correct implementation of 1-2-OT necessarily leaks i bit. Since NL-boxes 
and 1-2-OT are locally equivalent, the same minimal leakage applies to NL-boxes [WW05b| . 
This is a stronger impossibility result than the one by Lo lLo97l since he assumes per¬ 
fect/statistical privacy against one party while our approach only assumes strict correctness 
(while both approaches apply even against QHBC adversaries). We finally show that for 
Rabin-OT and 1-2-OT of r-bit strings (i.e. ROT r and l-2-OT r respectively), the leakage ap¬ 
proaches 1 exponentially in r. In other words, strictly correct implementations of these two 
primitives trivialize as r increases since the sender gets almost all information about Bob’s 
reception of the string (in case of ROT r ) and Bob’s choice bit (in case of l-2-OT r ). These 
are the first quantitative impossibility results for these primitives and the first time the 
hardness of implementing different flavors of string OT is shown to increase as the strings 
to be transmitted get longer. 

Finally, we note that our lower bounds on the leakage of the randomized primitives also 
lower-bound the minimum leakage for the standard versions of these primitive^] where the 
players choose their inputs uniformly at random. While we focus on the typical case where 
the primitives are run with uniform inputs, the same reasoning can be applied to primitives 
with arbitrary distributions of inputs. 


exist IMoc07ICK09l . However, the important fact (for the purpose of this paper) is that all these 
primitives can be implemented by trivial classical protocols against HBC adversaries. 

7 The weakness of a primitive will be formally defined in terms of entropic monotones for classical 
two-party computation introduced by Wolf and Wullschleger 1WW04I . see Section m 

8 The definition of leakage of an embedding can be generalized to protocols with inputs, where it is 
defined as maxlsup^ S(X; Vb) — /(A; T) , sup Vj4 S(Va\ Y) — /(A; I')}, where X and Y involve 
both inputs and outputs of Alice and Bob, respectively. The supremum is taken over all possible 
(quantum) views Va and Vb of Alice and Bob obtained by their (QHBC-consistent) actions (and 
containing their inputs). 
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1.2 Related Work 


Our framework allows to quantify the minimum amount of leakage whereas standard impos¬ 
sibility proofs as the ones of |LC97|May97ILo97IAKSW07IBCS12] do not in general provide 
such quantification since they usually assume privacy for one player in order to show that the 
protocol must be totally insecure for the other playcjf]. By contrast, we derive lower bounds 
for the leakage of any strictly correct implementation. At first glance, our approach seems 
contradictory with standard impossibility proofs since embeddings leak the same amount 
towards both parties. To resolve this apparent paradox it suffices to observe that in previous 
approaches only the adversary purified its actions whereas in our case both parties do. If 
a honest player does not purify his actions then some leakage may be lost by the act of 
irreversibly and unnecessarily measuring some of his quantum registers. 

Our results complement the ones obtained by Colbeck in [Col071 for the setting where 
Alice and Bob have inputs and obtain identical outcomes (called single-function computa¬ 
tions). [Co 1071 shows that in any strictly correct implementation of primitives of a certain 
form, an honest-but-curious player can access more information about the other party’s in¬ 
put than it is available through the ideal functionality. Unlike |Col07] . we deal in our work 
with the case where Alice and Bob do not have inputs but might receive different outputs 
according to a joint probability distributions. We show that only trivial distributions can 
be implemented securely in the QHBC model. Furthermore, we introduce a quantitative 
measure of protocol-insecurity that lets us answer which embedding allow the least effective 
cheating. 

Another notion of privacy in quantum protocols, generalizing its classical counterpart 
from |CK91IKus92| , is proposed by Klauck in [ Kla04l . Therein, two-party quantum protocols 
with inputs for computing a function / : X x y —► Z, where X and y denote Alice’s and 
Bob’s respective input spaces, and privacy against QHBC adversaries are considered. Privacy 
of a protocol is measured in terms of privacy loss, defined for each round of the protocol and 
fixed distribution of inputs Px',Y' by S(B ; X\Y) = H(X\Y) — S(X\B, Y ), where B denotes 
Bob’s private working register, and X := (X', f(X', Y')), Y := (Y', f{X', Y')) represent the 
complete views of Alice and Bob, respectively. Privacy loss of the entire protocol is then 
defined as the supremum over all joint input distributions, protocol rounds, and states of 
working registers. In our framework, privacy loss corresponds to S(X]YB) — I(X;Y) from 
Alice point’s of view and S(Y;XA) — 7(Y;Y) from Bob’s point of view. Privacy loss is 
therefore very similar to our definition of leakage except that it requires the players to get 
their respective honest outputs. As a consequence, the protocol implementing Px,y by asking 
one party to prepare a regular embedding of Px.y before sending her register to the other 
party would have no privacy loss. Moreover, the scenario analyzed in IKla04j is restricted 
to primitives which provide the same output f{X,Y) to both players. Another difference is 
that since privacy loss is computed over all rounds of a protocol, a party is allowed to abort 
which is not considered QHBC in our setting. In conclusion, the model of |Kla04| is different 
from ours even though the measures of privacy loss and leakage are similar. IKla04j provides 
interesting results concerning trade-offs between privacy loss and communication complexity 
of quantum protocols, building upon similar results of |CK91|IKus92] in the classical scenario. 


9 Trade-offs between the security for one and the security for the other player have been consid¬ 
ered before, but either the relaxation of security has to be very sma ll UMI ] or the trade-offs 

or oblivious trans- 


are restricted to particular primitives such as commitments [SR0lfeCH + 08 
fer ICKS13| . 
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It would be interesting to know whether a similar operational meaning can also be assigned 
to the new measure of privacy, introduced in this paper. 

A result by Kiinzler et al. IKMR09I shows that two-party functions that are securely 
computable against active quantum adversaries form a strict subset of the set of functions 
which are securely computable in the classical HBC model. This complements our result 
that the sets of securely computable functions in both HBC and QHBC models are the 
same. 

A recent paper by Fehr, Katz, Song, Zhou and Zikas |FKS + 13] studies our question 
with respect to the stricter requirements of universal composability. They give classifica¬ 
tion results for quantum protocols achieving classical primitives with computational and 
information-theoretic security. Interestingly, classical and quantum protocols seem to be sim¬ 
ilarly powerful with respect to computational security whereas in the information-theoretic 
setting, the two landscapes look different. 


1.3 Roadmap 

In Section [2j we introduce the cryptographic and information-theoretic notions and concepts 
used throughout the paper. We define, motivate, and analyze the generality of modeling 
two-party quantum protocols by embeddings in Section [3] and define triviality of primitives 
and embeddings. In Section [Tj we define the notion of leakage of embeddings, show basic 
properties and argue that it is a reasonable measure of privacy. In Section 0 we explicitly 
lower bound the leakage of some universal two-party primitives. Finally, in Section [G] we 
discuss possible directions for future research and open questions. 


2 Preliminaries 

2.1 Quantum Information Theory 

For x,y £ {0,1}", S XtX = 1 and S XiV = 0 if x ^ y. In the following, we denote by U(A) the set 
of unitary transforms acting in Hilbert space Ha- Let 1 if) ab ^ Hab be an arbitrary pure 
state of the joint systems A and B. The states of these subsystems are pa = tr^ I'i/'Xt/’l and 
Pb = tr^ \if){ip\, respectively. We denote by 5(A:= S(pa) and S(B)^p := 5(ps) the von 
Neumann entropy (defined as the Shannon entropy of the eigenvalues of the density matrix) 
of subsystem A and B respectively. Whenever the quantum state \if) is clear from the 
context, we omit the subscripts from entropic quantities and simply write 5(A) and S(B). 
Since the joint system is in a pure state, it follows from the Schmidt decomposition that 
5(A) = S(B) (see e.g. NCOOI h Analogously to their classical counterparts, we can define 
quantum conditional entropy S(A\B) := S(AB) — S(B ), and quantum mutual information 
5(A; B) := 5(A) + S(B) - S(AB) = 5(A) - 5(A|B) = S(B) - S(B\A). Note that applying a 
local unitary transform U = I a ® Pb to the bipartite state pab does not change the mutual 
information 5(A; B) p = 5(A; B) UpU t, because the spectra of eigenvalues of pa , Pb and pab 
remain the same. Even though S(A\B) can be negative in general, S(A\B) > 0 is always 
true if A is a classical register. 

Let R = {(Px{x), p x R } x( zx be an ensemble of states p^ with prior probability Px{x). 
This defines a classical-quantum (cq) state pxr where the average quantum state is pn = 
J2 x ex Px{x)p x R . The following lemma states that applying a separate unitary transform to 
each pft does not change the entropies S(XR) and H(X), but it might change S(R). 


6 








Lemma 2.1. Let p\R = "Yh xe x Px( x )pR b e a cq-state and let Uxr = J2x I^K^Ix ® Ur ^ e 
a unitary transform acting only on register R, conditioned on the classical value x in X. 
Then, S(XR) pxr = S{XR) Uxr/jxrU and H{X) pxr = H{^) UxRPXR u] lR ■ 

Proof. The density matrix of the cq-state pxr is block-diagonal and applying separate uni¬ 
tary transforms U R in every sub-block does not change the overall spectrum of eigenvalues. 
Hence, the entropy S(XR) remains the same. The second equality follows from the fact that 
the unitary Uxr only acts on register R. □ 

The famous result by Holevo upper-bounds the amount of classical information about 
X that can be obtained by measuring pr: 

Theorem 2.2 (Holevo bound (Hol73llRus02j ) . Let Y be the random variable describ¬ 
ing the outcome of some measurement applied to pr for R = {Px(x), p R } x ^x- Then, 
I(X;Y) < S(pr) — ^2 X Px(x)S(p R ), where equality can be achieved if and only if {p R }xex 
are simultaneously diagonahzable. 

Note that if all states in the ensemble are pure and all different then in order to achieve 
equality in the theorem above, they have to form an orthonormal basis of the space they 
span. In this case, the variable Y achieving equality is the measurement outcome in this 
orthonormal basis. 


2.2 Markov Chains 

We say that three classical random variables X, Y, Z with joint distribution Pxyz form a 
Markov chain X o Y <-»■ Z, if X and Z are independent given Y, i.e., Pxz\y = Px\y ' Pz\y ■ 
Equivalent conditions are Px\yz = Px\Y or Pz\yx = Pz\y |CT91| . Markov chains with 
quantum ends have been defined in |DFSS07] and used in subsequent works such as |FS09| . 
For a ccq-state p X YR = J2 x , y p xy(x, y)\x){x\ <g> \y)(y\ ® p X jf , we say that X, Y, R form a 
Markov chain X -n-Y o R, if pxyr = J2x y Pxy{x, y)\x)(x\ ® \y)(y\ ® p v R , i.e., the quantum 
register R depends only on the classical variable y but not on x. 

Lemma 2.3. For a ccq-state Pxyr, the following conditions are equivalent: 

1. X o F O R 

2. S(X\YR) = Spf|Y) 

3. s[r\YX) = S(R\Y) 

4. S{X-YR) = I(X;Y) . 


Proof. For fixed x,y, we can diagonalize p x R v = \ / Pk’ V )( l Pk’ V I_r- redefining the 

random variable Y to be ( YK ) with joint distribution Px(YK){x,yk ) = Pxy{ x, y)X^.’ v , we 
can assume without loss of generality that p x R = \ip x,y ){q> x ’ y \ R is a pure state for every fixed 
x,y. In that case, it is easy to check that X -n- Y o R implies the other three conditions, 
because S(XYR) = S(XY) and S(YR) = S(Y). 

On the other hand, if I P F O R does not hold, there exist x ^ x’ and y such 
that p x R Pr’ v ■ Hence, there exists a measurement on registers YR that reveals more 
information about X than just knowing Y, which implies S(X\YR) ^ 5(X|Y). The other 
implications can be shown similarly. □ 
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2.3 Dependent Part 

The following definition introduces a random variable describing the correlation between 
two random variables X and Y, obtained by collapsing all values x\ and X 2 for which Y has 
the same conditional distribution, to a single value. 

Definition 2.4 (Dependent part jWW 04] 1. For two random variables X , Y, let fx{x) '■= 
Py\x= x ■ Then the dependent part of X with respect to Y is defined as X \ Y := fx(X). 

The dependent part X Y is the minimum random variable among the random variables 
computable from X for which f)F forms a Markov chain IWU’O 1 . In other 

words, for any random variable K = f(X) such that X -<->■ K gg Y is a Markov chain, there 
exists a function g such that g{K) = X \ Y. Immediately from the definition we get several 
other properties of X \ Y |WW04I : H(Y\X \ Y) = H(Y\X), I{X;Y) = I(X \ Y;Y), 
and X \ Y = X \ (Y \ X). The second and the third formula yield I(X;Y) = I(X \ 
Y; Y \ X). For two random variables X and Z, we write X = Z if X and Z have the same 
distributions (over possibly different alphabets). In particular, we write X = X \ Y if the 
random variable X consists only of the dependent part X \ Y with respect to Y. 

The notion of dependent part has been further investigated in |FWW04IIMNW04IWW05a] . 
Wullschleger and Wolf have shown that quantities H(X \ Y|Y) and H{Y \ X|Af) are 
monotones for two-party computation |WW05a] . That is, none of these values can in¬ 
crease during classical two-party protocols. In particular, if Alice and Bob start a pro¬ 
tocol from scratch then classical two-party protocols can only produce (X, Y) such that: 
H(X \ Y|Y) = H(Y \ X\X) = 0, since H(X \ Y|Y) > 0 if and only if H(Y \ X\X) > 

0 [WW05aj . Conversely, any primitive satisfying H(X \ Y|Y) = H(Y \ X\X) = 0 can 
be implemented securely in the honest-but-curious (HBC) model. We call such primitives 
trivial 1 ™. 


2.4 Connected Components 

Another property of a joint probability distribution Pxy which we require is the notion of 
connected components , as in [WW041 Def. 1]. 

Definition 2.5. Let X and Y be random variables with (disjoint) ranges X and y, dis¬ 
tributed according to Pxy ■ Consider the bipartite graph G with vertex set X U y such that 
two vertices x € X and y G y are connected by an edge iff Pxy(x,v) > 0 holds. We call 
the edge sets C±,.. .Ci of connected components of the graph G the connected components 
of Pxy ■ 

In this way, the joint distribution Pxy can be split into £ distributions {Px^Yj }j=i- 
For every j, Px. h Yj a distribution with a single component over alphabet Xj x jkj, where 
X is the disjoint union of the Xj and y the disjoint union of the Aj-. We denote by the 
random variable C the component of XY , resulting in the joint distribution Pcxy ■ Then, 
Pc(j) = E xy&Cj Pxy(x, V ) = £ xe *. Px(x) = Pr(X G Xj) = P Y (y) = Pr(Y G y o ) 

is the probability that XY ends up in component Cj (which is the same as the probability 
that X ends up in Xj and that Y ends up in y,j ) . Note that C is a deterministic function of 
X (and also of Y), hence 

I(X ; Y) = H(Y) - H{Y\X ) = H{YC ) - H(Y\XC) = H{C) + H(Y\C) - H(Y\XC) 

= H(C) + I(X-Y\C) . ^ 2 ’ 


10 See Footnote [6] for a caveat about this terminology. 

















2.5 Purification 


All security questions we ask are with respect to (quantum) honest-but-curious adversaries. 
In the classical honest-but-curious adversary model (HBC), the parties follow the instruc¬ 
tions of a protocol but store all information available to them. Quantum honest-but-curious 
adversaries (QHBC), on the other hand, are allowed to behave in an arbitrary way that 
cannot be distinguished from their honest behavior by the other player. 

Almost all impossibility results in quantum cryptography rely upon a quantum honest- 
but-curious behavior of the adversary. This behavior consists in purifying all actions of 
the honest players. Purifying means that instead of invoking classical randomness from a 
random tape, for instance, the adversary relies upon quantum registers holding all random 
bits needed. The operations to be executed from the random outcome are then performed 
quantumly without fixing the random outcomes. For example, suppose a protocol instructs 
a party to pick with probability p state |</>°) c - and with probability 1 — p state \4r) c before 
sending it to the other party through the quantum channel C. The purified version of this 
instruction looks as follows: Prepare a quantum register in state v / p|0)a+V / 1 — holding 
the random process. Add a new register initially in state |0) c before applying the unitary 
transform U : \r) R \4> r ) c for r € {0,1}, send register C through the quantum 

channel and keep register R. 

^From the receiver’s point of view, the purified behavior is indistinguishable from the 
one relying upon a classical source of randomness because in both cases, the state of register 
C is p = p\4>°){4>°\ + (1 — p) |^> 1 )(</> 1 |. All operations invoking classical randomness can be 
purified similarly |LC97|May97|Lo97IKen04j . The result is that measurements are postponed 
as much as possible and only extract information required to run the protocol in the sense 
that only when both players need to know a random outcome, the corresponding quantum 
register holding the random coin will be measured. If both players purify their actions then 
the joint state at any point during the execution will remain pure, until the very last step 
of the protocol when the outcomes are measured. 

2.6 Secure Two-Party Computation 

In Section [5l we investigate the leakage of several universal cryptographic two-party primi¬ 
tives. By universality we mean that any two-party secure function evaluation can be reduced 
to them. We investigate the completely randomized versions where players do not have in¬ 
puts but receive randomized outputs instead. Throughout this paper, the term primitive 
usually refers to the joint probability distribution defining its randomized version. Any pro¬ 
tocol implementing the standard version of a primitive (with inputs) can also be used to 
implement a randomized version of the same primitive, with the “inputs” chosen according 
to an arbitrary fixed probability distribution. 


3 Two-Party Protocols and Their Embeddings 

3.1 Strict Correctness 

In this work, we consider cryptographic primitives providing X to honest player Alice and 
Y to honest player Bob according to a joint probability distribution Px.y■ The goal of this 
section is to define when a protocol 7r correctly implements the primitive Px,y■ The first 
natural requirement is that once the actions of n are purified by both players, measurements 
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of registers A and B in the computational basiJ^l provide joint outcome (X, Y) = (x,y) 
with probability Px,r(x,y). 

Protocol 7 r can use extra registers A' on Alice’s and B' on Bob’s side providing them 
with (quantum) working space. The purification of all actions of 7r therefore generates a pure 
state | if) £ Bab®Ba'B' ■ A second requirement for the correctness of the protocol 7r is that 
these extra registers are only used as working space, i.e. the final state \ip) A ba'B' suc ^ that 
the content of Alice’s working register A! does not give her any further information about 
Bob’s output Y than what she can infer from her honest output X and vice versa for B'. 
Formally, we require that S(XA'\Y) = I(X;Y) and S(X',YB') = /(X;F). By Lemma [2731 
the two conditions are equivalent to requiring A' X Y -n- B' to be a Markov chain. 

Definition 3.1. A protocol tt for Px,y Is strictly correct if measuring registers A and B 
of its final state in the computational basis yields outcomes X and Y with distribution Px,y 
and the final state satisfies S(X\YB') = S{XA']Y) = /(X;F) where A' and B' denote 
the extra working registers of Alice and Bob. The state \if) £ Bab ® Ba'B' is called an 
embedding of Px,y if it can be produced by the purification of a strictly correct protocol for 

Px,Y- 

We would like to point out that our definition of correctness is stronger than the usual 
classical notion which only requires the correct distribution for the output of the honest 
players. For example, the trivial classical protocol for the primitive Px,y in which Alice 
samples both player’s outputs XF, sends Y to Bob, but keeps a copy of Y for herself, is not 
strictly correct because it implements a fundamentally different primitive, namely Pxy,y- 
Definition 13.11 requires that any protocol for Px.y leaks no information beyond I(X;F) to 
any party having measured its output X or 7. 


3.2 Regular Embeddings 

We call an embedding IV') aba'B' re 9 u l ar if the working registers A', B' are empty. Formally, 
let O n ,m ’■= {0 : {0, l} n x {0, l} m —> [0 ... 27r)} be the set of functions mapping bit-strings 
of length to + n to real numbers between 0 and 2tt. 

Definition 3.2. For a joint probability distribution Px,y where X £ {0, l} n and Y £ 
{0, l} m , we define the set 


£(Px,y) ■= l m e Bab : W) = £ e ie ^^JP x , Y (x,y)\x, y) AB , 6 £ 0 

[ xe{o,i}",j/e{o,i} m 

and call any state | if) £ S(Px,y) « regular embedding of the joint probability distribution 
Px,Y ■ 

Clearly, any \if) £ £(Px,y ) produces (X, Y) with distribution Px,y since the probabil¬ 
ity that Alice measures x and Bob measures y in the computational basis is \(i/j\x,y)\ 2 = 
Px,Y(x,y). In order to specify a particular regular embedding one only needs to give the 

11 It is clear that every quantum protocol for which the final measurement (providing ( x , y) with 
distribution Px.y to the players) is not in the computational basis can be transformed into a 
protocol of the described form by two additional local unitary transformations. 
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description of the phase function 6{x , y). We denote by \if>g) £ £(Px,y) the quantum embed¬ 
ding of Px.y with phase function 6. The constant function 0(x, y) := 0 for all x £ {0,1}", y £ 
{0, l} m corresponds to what we call canonical embedding \ipo) := y \/Px.y{x, y)\x, y) ab- 

In Lemma 14.31 below we show that every primitive Px.y has a regular embedding which 
is in some sense the most secure among all embeddings of Px.y- 

3.3 Trivial Classical Primitives and Trivial Embeddings 

In this section, we define triviality of classical primitives and (bipartite) embeddings. We 
show that for any non-trivial classical primitive, its canonical quantum embedding is also 
non-trivial. Intuitively, a primitive Px.y is trivial if X and Y can be generated by Alice and 
Bob from scratch in the classical honest-but-curious (HBC) modelij. Formally, we define 
triviality via an entropic quantity based on the notion of dependent part (see Section [2j). 

Definition 3.3. A primitive Px.y Is called trivial if it satisfies H(X \, Y\Y) = 0, or 
equivalently, H{Y \, X\X) = 0. Otherwise, the primitive is called non-trivial. 

Definition 3.4. A regular embedding \if) AB £ £{Px,y) is called trivial if either S(X 
Y\B) = 0 or S(Y X\A) = 0. Otherwise, we say that \ip) A b non-trivial. 

Notice that unlike in the classical case, S(X \ Y\B) = 0 <t=> S(Y \ X\A) = 0 does not 
hold in general. As an example, consider a shared quantum state where the computational 
basis corresponds to the Schmidt basis for only one of its subsystems, say for A. Let \ip) = 
a | 0 ) J 4 lCo)_e + /3|1 )aI£i)b be such that both subsystems are two-dimensional, {|£o)> |£i)} 7 ^ 
{|0>, |1>}, <£o|a> = 0, and |<6>|0)| ^ |<^i|0)|. We then have S(X\B) = 0 and 5(F|A) > 0 
while X = X \ Y and Y = Y\X. 

To illustrate this definition of triviality, we argue in the following that if a primitive 
Px,y has a trivial regular embedding, there exists a classical protocol which generates X, Y 
securely in the HBC model. Let \if) £ £{Px,y) be trivial and assume without loss of gener¬ 
ality that S(Y \ X\ A) = 0. Intuitively, this means that Alice can learn everything possible 
about Bob’s outcome Y (Y could include some private coin-flips on Bob’s side, but that is 
“filtered out” by the dependent part). More precisely, Alice holding register A can measure 
her part of the shared state to completely learn a realization of Y \ X, specifying Px\Y=y 
She then chooses X according to the distribution Px\Y=y An equivalent way of trivially 
generating (A, Y) classically is the following classical protocol: 

1. Alice samples y' from distribution Py\x and announces the outcome to Bob. 

2. Alice samples x from distribution P x \Y\x=y' ■ 

3. Bob samples y from distribution P Y \Y\x=y' ■ 

Of course, the same reasoning applies in case S(X \ Y\B) = 0 with the roles of Alice and 
Bob reversed. 

In fact, the following lemma shows that any non-trivial primitive Px.y has a non-trivial 
embedding, i.e. there exists a quantum protocol strict-correctly implementing Px.y while 
leaking less information to QHBC adversaries than any classical protocol for Px.y hr the 
HBC model. 

Lemma 3.5. If Px.y is a non-trivial primitive then the canonical embedding |^q) £ £{Px,y ) 
is also non-trivial. 

12 See Footnote [6] for a caveat about this terminology. 
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Proof. A non-trivial embedding of Px,y can be created from a non-trivial embedding of 
Px\y,y\x by applying local unitary transforms. We therefore assume without loss of gen¬ 
erality that X = X \ Y and Y = Y \ X. Let 

l^o) := Y p xy{x,y)\x,y) 
x,y 

be the canonical embedding of Px.y- Since X = X \ Y and Y = Y \ X, it holds for 
any Xq Xi that P Y \X=xo * Py\x= X i - Furthermore, since Px.y is non-trivial, there exist 
Xq ^ Xi and y o such that Py\x=x 0 (Vo) > 0 and Py\x=xi (Vo) > 0. The state |^o) can be 
written in the form: 

Ho) = V p x(x 0 )\x 0 ) Y \JPY\x=x 0 (y)\y) + V p x(xi) |xi) Y \] p Y\x= xl {y)\y) + W) , 
v y 

where tr(|x 0 )(a;o| tr B \^'){^'\) = tr(|a;i}(a:i| tr B \if')(ip '\) = 0. Set \y> Xb ) := J2 y \J p Y\x=x b (y)\y) 
for b G {0,1}. Since P Y \x=x 0 ^ P Y\x=xn we S et that \{ip x °\ip Xl )\ < 1. Because all coeffi¬ 
cients at | y) in the normalized vectors | ip x °) and \y> Xl ) are non-negative, and the coefficients 
at |j/o) are both positive, ( ip x °\ip Xl ) ^ 0. Therefore, the non-identical states l^ 0 } and \y> Xl ) 
cannot be perfectly distinguished, which implies that Bob cannot learn whether X = xq or 
X = X\ with probability 1. Therefore, the von Neumann entropy on Bob’s side S(B) is such 
that S(B) < H{X). As shown in |WW05aj . H{X \ Y\Y) > 0 implies H(Y \ X\X) > 0, 
and we can argue in the same way as above that S(A) < H(Y) from which follows that I'i/'o) 
is a non-trivial quantum embedding of Px,y■ □ 

4 The Leakage of Quantum Embeddings 

In this section, we formally define the leakage of embeddings and establish properties of the 
leakage. 

4.1 Definition and Basic Properties of Leakage 

A perfect implementation of Px.y simply provides X to Alice and Y to Bob and does 
nothing else. The expected amount of information that one random variable gives about the 
other is I(X;Y) = H(X ) — H(X\Y) = H(Y) — H(Y\X) = I(Y-X). Intuitively, we define 
the leakage of a quantum embedding | ^ aba'B' °f p x,Y as the larger of the two following 
quantities: the extra amount of information Bob’s quantum registers BB' provide about 
X and the extra amount Alice’s quantum state in AA' provides about Y respectively in 
comparison to “the minimum amount” I ( X ; y)E 

Definition 4.1. Let | if) € Haba'B' be an embedding of Px,y ■ We define the leakage \ip) as 
A^Px.y) :=max{S(X-BB')-I(X-Y), S(AA'-Y)- I(X-Y)} . 

Furthermore, we say that | ijj) is ^-leaking if A^(Px t Y) > 5 . 

13 There are other natural candidates for the notion of leakage such as the difference in difficulty 
between guessing Alice’s output X by measuring Bob’s final quantum state B and based on the 
output of the ideal functionality Y. While such definitions do make sense, they turn out not to 
be as easy to work with and it is an open question whether the natural properties described later 
in this section can be established for these notions of leakage as well. 
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It is easy to see that the leakage is non-negative since S(X; BB') > S(X; B) for B the 
result of a quantum operation applied to BB'. Such an operation could be the trace over 
the extra working register B' and a measurement in the computational basis of each qubit 
of the part encoding Y, yielding S(X;B) = /(X; Y). 

We want to argue that our notion of leakage is a good measure for the privacy of the 
player’s outputs. In the same spirit, we will argue that the minimum achievable leakage for 
a primitive is related to the “hardness” of implementing it. We start off by proving several 
basic properties about leakage. 

For a general state in Haba'b 1 the quantities S(X;BB') — 7(X;Y) and S(AA';Y) — 
I(X; Y) are not necessarily equal. Note though that they coincide for regular embeddings 
| tjj) £ £{Px,y) produced by a strictly correct protocol (where the work spaces A' and B' are 
empty): Notice that S{X;B) = S{X) + S(B)-S{X, B) = H{X) + S{B)-H{X) = S{B) and 
because \tjj) is pure, S(A) = S(B). Therefore, S(X\B ) = S(A\Y) and the two quantities 
coincide. The following lemma states that this actually happens for all embeddings and 
hence, the definition of leakage is symmetric with respect to both players. 

Lemma 4.2 (Symmetry). Let \if) £ TLaba'B' be an embedding of Px,y■ Then, 

M p xx) = S(X; BB') - /(X; Y) = S(AA'; Y) - /(X; Y) . 

Proof. We have already shown that the statement is true in the case where both A' and B' 
are trivial. In the case where A' is trivial and B' is not, the Markov chain condition implies 
that 1^) is of the form 


V!>) = ^2\J Px x{ x >y)\x,y) AB W V ) B > , 

X,y 

hence, Bob can fix yo and apply a unitary transform Ubb' on his part of the system, such 
that U B B'\y,V v ) = \y,<P Vo ), and 

Ia ® Ub B '\iP)ABB' = IV' )AB ® I f V °)B' 1 

where \ip*) £ £{Px.y )■ Note that the unitary transform Ubb 1 does not change the entropic 
quantity S(X; BB')\^ = S(X; BB ') Ubb ,|^>. Hence, in the resulting product state, we have 
that S(X- BB') - I{X; Y) = S(X: B) - /(X; Y) = S(A ; Y) - /(X; Y), due to the fact that 
\ip*) £ £(Px,y)- An analogous statement holds in the case where B' is trivial and A! is 
non-trivial. 

We now assume that both A! and B' are non-trivial. An embedding of Px.y can be 
written as 


l^> = J2\/ p x,y(x, y)\x, y) AB W X ’ V ) A 'b> 

= ^\/ p c(j) \J p x,Y\c=j(x, y)\x, y)AB\v X ' V ) A 'B' 

j i&yj 

= VPc{j)\4>j) ABA'B' I 

0 

where C denotes the connected component of X, Y (see Section [2~TI) and where for any j, 
| tpj) is an embedding of the single-component primitive Px jt Yj- 
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We want to show that 


S(X ; BB% - I(X ; Y) = S(AA'- 1% - I{X; Y) . (3) 

Using the reasoning of Equation © for the three terms S(X-,BB'),I(X;Y),S(AA';Y), 
Equation Q is equivalent t<0 

S(X- BB'\C )v, - I{X ; Y\C) = S(AA'; Y\C)+ - I(X-Y\C) 

and hence, it suffices to show symmetry for all single-component primitives Pxj,Yj an d their 
embeddings | ipj). For the rest of the proof, we drop the index j for the ease of notation. 

Note that S{X-BB') = H(X) + S(BB')-S{XBB') and S{AA'-Y) = H(Y) + S(AA')- 
S(AA’Y). As |?/>) is a pure state, we have that S(AA')^, = S^BB')^, and it suffices to show 
that 

H(X) - S(XBB% = H(Y) - S(AYA% . (4) 

For every x and y, we can write the bipartite pure state 

k =1 

in Schmidt form. For the reduced density matrices, we obtain 

k 

Since any embedding \ip) £ HabA'B 1 of Px.y is produced by a strictly correct protocol, 
it satisfies 

S{XA'- Y) = S(X; YB’) = I(X ; Y) 

which is equivalent by Lemma [?~3l to A’ o X «-»■ Y and I ft f f) B' being Markov chains. 
It follows that for every x and y ^ y' in the same connected component of Pxy , the reduced 
density matrices p x JF = p^F = Pa> coincide and therefore, the eigenvalues \^ v cannot 
depend on y. Because of I H F H B', they can neither depend on x. Hence, \<p x ' v ) = 
y^kP 9 ^ k ' x ' v ^\Pk V )\fk' v )^^ The phase factors arise from the fact that from a reduced 
density matrix the global phases of the Schmidt-basis elements cannot be determined. 

Let us fix a set of orthogonal states {|/c)}fc- We define the unitary transformation 
Uaba’b ' to map the orthonormal states {|e^ ,y ) A ,}fc into the orthonormal states {|/c)^ 4 ,}fc, 
and {|/fc’ y ) B ,}fc into {\k) B ,}k- Note that Uaba'b' only acts on registers A'B' conditioned 


14 The only step that needs some extra thought is the following: S(X\BB’) = S(X\BB'C) holds, 
because the component C can be determined with certainty by measuring register B with pro¬ 
jectors {J2 y£yj \y)(y\ B }j- 

15 We note that it is only possible to draw this conclusion within the same connected component. 
The eigenvalues X^’ y and A^ ' v for x,y and x',y' not in the same connected component of Pxy 
cannot be related to each other. 
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on the x -value in A and the y -value in B. Applying Uaba'B' to | ip) results into state 


lx) = Y yS)AB 55 \^ el9 ' < ' k ’ X,v) \k, k) A , B , 

x,y k 

= Y ( 55 \J Px ’ Y ( x ’ y)e l 9 ' (k ’ x ’ y) \x, y)j I k,k) 

k \x,y ) 

= y ] ^ k \ Xk ) ab® I k,k) A , B , , 

k 

where each | Xk) ab ^ £(Px,y)- The cqq-state (Jxbb 1 can now be written in the form: 
crxBB’ = Y P x (x)\x)(x\ <8) Y X k\ 7fc, fc )<7fc , ^1 , 

x k 

where |y^) = yjPy\x=x el9 y). Due to the second register, the states |y %,k) are 

mutually orthogonal for each x. Therefore, for each x, 

S\Y X ^ k ^ k \) =H(\u...,\k) ■ 


As a result we get that 

S(X BB') X = H{X) + Y Px{x)H{ Ai,. ..,X K ) = H(X) + H{X u ...,X K ) 

X 


and analogously, 

S(AA'Y) x = H(Y) + H(X 1 ,...,X k ) . 

Equation j4]) now follows by applying Lemma 12.11 in the first and last step of the following 
equations. 


H(X) - S(XBB% = H(X) - S(XBB') x 
= —H(Xi ,..., X K ) 

= H(Y) - S(AYA') X 
= H(Y)-S(AYA% . 


□ 

If a primitive Px.y has multiple connected components and | ipj) are (not necessarily 
regular) embeddings of Px^Yj, then the state IV') : = • \JPc (i)IV’j) is an embedding of 

Px,y with leakage 

A^{Px,Y) = S(X; BB% - I{X ; Y) = S(X; BB'jC)^ - I(X; Y\C) 

= Y Pc (j) A 'h( Px sXj) > ^ 

3 

by the same reasoning as in the previous proof (along the lines of Equation @). Any party 
can determine the active component without disturbing the state once the other party 
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got his/her output (see Footnote [TJ). Therefore, measuring the component C can be done 
without changing the amount of information the state contains about the other party’s 
output. Hence, we can always assume that the parties know the current component in use. 

The next lemma shows that the leakage of an embedding for a given primitive is always 
lower-bounded by the leakage of some regular embedding of the same primitive, which 
simplifies the calculation of lower bounds for the leakage of embeddings. 

Lemma 4.3. For every embedding \if) of a primitive Px,y, there exists \ip*) £ £(Px,y) 
such that A^,{Px,y) > A$*{Px,y)- 

Proof. In the case where A' and B' are both trivial, then \ijj) £ £(Px,y) is a regular em¬ 
bedding and the statement holds trivially. In the case where A! is trivial and B' is not, we 
have shown at the beginning of the proof of Lemma 14. 2 1 that an embedding | ip) of Px.y is 
locally equivalent to a state | ip') AB ® \ a ) b 1 f° r W) e £( p x,y) and a pure state \cr) B ,. An 
analogous statement holds if B' is trivial and A' is not. Therefore, in these two cases we get 
for some \if') £ £{Px,y ) that A^(P x ,y) = A^(P x ,y)- 

Now assume that both A' and B' are non-trivial and that Px,y has multiple connected 
components. As in the proof of Lemma 14.21 the state | ty) aba'B' can written as 

I ABA'B' = VPctiMi) ABA'B' ) 

3 

where | ipj) is an embedding of Px, ,y, ■, the primitive corresponding to the jth connected 
component of Px,y- Let us assume for now that the lemma holds for single-component 
primitives. In that case, we get for every j and embedding | tjjj) a regular embedding \ipj) G 
£(Px j ,Y j ) such that A^ Jj (P Xj ,y 3 -) > A^^Px^Yj)- We dehne \if*) = Yjj \Z p c{j)Wj) and 
conclude that 

Atp(Px.y) = ^ p c{j)A y,,- ( Px,y ) > ^ PcWAn ( Px,y ) = A^*(P x ,y) , 

3 3 

where the equalities are due to Equation ([5]). 

It remains to show the lemma for single-component primitives Px,y ■ The state 1 4’) aba'b 1 
is of the form established in the proof of Lemma 14.21 

W) ABA'B' = Px > Y ( X i y)\x , y) AB ® ^ eie{k ' X ' V) \ e k V ) A '\fk V ) B‘ ■ (6) 

x,y k 

Let A = (Ai, A 2 ,.. •, At) be an ordering of all eigenvalues (A/c}fc each repeated as many 
times as their multiplicity. Let F x>y = {f^’ v }k be the set of eigenvectors in B' for each pair 
(x, y). Since X -n- Y -n- B' is a Markov chain, the eigenvectors //’ y can be chosen such that 
p x,y = p x',y =■ Py for any x, x', y in the same connected component. Let us fix an ordering 
of the elements of F y , (F y ) = (ff, f%, ..., fjf), such that eigenvector has eigenvalue A^ 
whenever v £ V. 

16 The Markov chain condition guarantees that a single ordering (F y ) suffices in the following sense: 
two eigenvectors f£’ y £ F x>y and f£,’ y G F x t y such that f£’ v = fy’ v = // for some G F y 
necessarily have the same eigenvalue Ah. 


16 






Consider the (incomplete) projective measurement AA = {Qhjh with measurement op- 

pynfnvo 

Qh = J2\y'>(y\B®\fD(fh\ B ' • 

y&y 

Now, suppose that M is applied to registers BB' of | aba'B" ^ is eas y to verify that with 
probability A h, outcome h will be obtained and the state will collapse to: 


IVTi ) ABA'B' 


E yJ p x,y(x,y)\x,y) AB ® e ^ h ^^\e^ h 

x,y 


®l f y h ) 


B' 


where k(h,x,y) is the index such that | e kfh xy )) associated with \f k ) in the Schmidt 
decomposition © when X = x and Y = y. Notice that | iph) is an embedding of Px,Y- Let 
Uh £ li(BB') be the local unitary transform on BB' defined as: 

^h\y)s\fh) B’ = \v) b\®)B' J 

and let |$ h ) = (I aa' <8 U h ) \if h ) = J2 X , V y/ p x,Y{x,y) \x, y) AB 8 e l6{ - k ' x ' v) \e x k ' y ) A ,\0) B , be an 
embedding of Px,y locally equivalent to | iph) but with a trivial register B’. 

Let us put things together: 


S(X; BB% > S(X; BB’)^ (7) 

= E A ^(*; BB 'w 

h 

> min S(X- BB')^ h 

h 

= S(X- 1 BB')^ , (8) 

where follows from the fact that the local measurement A4 does not increase mutual 
information [NC001 Theorem 11.15(3)], and 0 follows since \^h) is locally equivalent to 
| iph) for all h. Since \iph*) is an embedding of Px,y with register B' being trivial, we can 
use the reasoning from the beginning of the proof that \iph*) is locally equivalent to a state 
| ip*) A B ® \a) B , with | if*) £ £(Px,y)- By Lemma l4~2l the same proof applies to S(Y ; AA')^. 

□ 


So far, we have defined the leakage of an embedding of a primitive. We now define the 
leakage of a primitive the natural way: 

Definition 4.4. We define the leakage of a primitive Px,y as the minimal leakage among 
all protocols strict-correctly implementing Px,y- Formally, 

A Px Y := min A^(P x ,y) , 

Iw 

where the minimization is over all embeddings | if) of Px,y- 

Notice that the minimum in the previous definition is well-defined, because by Lemma l4.3l it 
is sufficient to minimize over regular embeddings | ip) £ £(Px,y)- Furthermore, the function 
A x / j (Px,y) is continuous on the compact (i.e. closed and bounded) set [0, 2n]'' Xxy] ' of complex 
phases corresponding to elements \x, y) AB in the formula for \ip) AB £ £{Px,y) and therefore 
it achieves its minimum. 

The following theorem shows that the leakage of any embedding of a primitive Px,y is 
lower-bounded by the minimal leakage achievable for primitive Px\y,y\,x (which due to 
Lemma 14.31 is achieved by a regular embedding). 
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Theorem 4.5. For any primitive Px,y* ^Px y — Ap x ^ Y , Y ^ x - 

Proof. In fact, the random variables X \ Y and Y \ X in the claim can be replaced by 
any variables X' and Y' with the property that X -£>■ X' •£>■ Y and X -£>■ Y' •£>■ Y are Markov 
chains, and that Y' = fy(Y) and X' = fx(X) for some deterministic functions fy and fx- 
For such random variables we then have I(X';Y r ) = I(X-Y). Therefore, showing that for 
| ijj) £ £{Px,y) with the lowest leakage among all regular embeddings of Px,y (regularity 
follows from Lemma [473]) and for some |^*} £ £(Px',y') , it holds that 

S(A)^ - I(X-Y) = A^(P x ,y) > A^{P X ',y') = S(A) r - I{X'-Y') 

is equivalent to proving S(A)^ > S(A)^*. First, we show that there exists \ip) £ £{Px.y') 
such that S(A)^ > S(A )^, i.e. A^(Pxy) > A^{P X v). The existence of \ip*) such that 
A${Px,y>) > (Px' ,y') follows from an analogous argument. 

State l^) can be written in the form: 

IV') = Y \J p x,Y( x iyy e{x ' y) \x,y) AB ■ 

x,y 

For any realization y' of Y', let O y ' be the set of elements y which are mapped to 
y' under fy{'), he. O y ' := {y : fy(y) = y'}- Let g denote the bijection mapping tuples 
( y' ,j y ) GY'x Oy' back to y. There exists an isometry U on Bob’s side such that 

(I A 0 U) \if) AB = Y \J Px,y{x, y)e l9{ - x ' v) \x, fY(y)j y ) ABB ± 

= Y \! Px x'( x 'y')\ x iy ')ab Y \! p y\y=v'(gWo))e ie{x,9{v ' ,3)) I j )> ( 9 ) 

x,v' j£°y' 


where T-L BB ± —T~Lb- 

Our goal for the rest of the proof is to transform the register containing j into a form 
where the order of the summations over (x, y') and j in j9]) can be reversed to get a state 
of the form 


\f) 


j=i 


j Ub 1j)b ' 


( 10 ) 


where t is some normalization factor and each | iff) is in £(Px,y')- Due to concavity of the 
von Neumann entropy, we can then argue that 


fYl S { tr BB' ) < S | j Y tT BB' ^)(^j ) = S{tr BB , \y>YM) = S(A) V . (11) 


Hence, there exists a j such that | tpj) £ £{Px,y') and S{A)^ < S{A) tp = S{A )^, proving 
the claim. 

Let us fix S > 0 and we show the existence of an embedding | ipj) £ £(P x ,y') such 
that S(A)^, < S(A)jp + S. In order to reverse the order of summation in (0, we show the 
existence of an isometry W on Bob’s system such that 


I <f) ■= OU 0 W){l A 0 U) \ip) AB = 


i * , 


AB 


I z)i 
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where each \i/j z ) is a quantum embedding of a primitive Py> y that is e-close (in statistical 
distance) to the primitive Px.y ■ 

The idea is for a given y' and j £ O y ' to “slice up” the term \j)§± with weight 
\JPY\Y'= y ' (g(y',j)) into a lot of very small pieces of weight 1 /y/t by letting W map | j) 

into superpositions \ z )b’i w here t £ N is a large natural number to be determined later 
as a function of S. More formally, let us fix y' and denote the elements of the set O y > as 
{1,2,..., k}. As a shorthand, we use pj := PY\Y'= y '(g{y' , j)) and note that Pj = T We 
define rij := \t • pj\ to be the natural number of pieces required to approximate pj ~ 7 -j- for 
large t. Let t 0 := 0 and tj := Yli<j n i • Then, we define W to map | j)^± to -^= X)*=t i _ 1 +i I 2 ) 
and get 

1$ = (I A 0 W)Y J ^Px,Y'{x,y')\x,y') Ai3 £ ^/pje^ 9 ^'^ j) s± 

X,V' j£°y' 

= ^2\l Px ,Y'^y')MAB E Me ie ^y'^) jr \ z ) , 

x,y' oeO y ! V i z=tj -1 + 1 


It is not hard to verify |ISot08) that — can be written as j + where the error | e(y', z)| < 

c is upper bounded by a constant c independent of t. Then, we get 



where 9'(x,y',z) = 9(x,y) for y corresponding to ( y',z ). Using the reasoning from (1111) . 
we derive the existence of a z, such that the state \ij> z ) £ £(Pj-y) is a regular embed¬ 
ding of a primitive P% y that is £(f)-close to Px,y> and eft) -4 0 when t —> oo. Fur¬ 
thermore, we have that 5(A)^ < S(A)^. As \tp z ) is a regular embedding, we can write 
\^j z ) = J2x,y yJPxA’i&i y) et ^ x ’^\ x )\y) for some phase function 9(x,y). We define the de¬ 
sired state |i ft) £ £(Px,y') as l^) := Ex.j \fPx y(x,y)e l6 ( x ’ v ' > \x)\y). We can choose t large 


enough such that the distance 


m) - 


is arbitrarily small and hence, by the conti¬ 


nuity of the von Neumann entropy, also their entropies 5(A) differ by at most <5. Hence, 
S(A)^ < S(A) % j j + 5 < S(A)^, + S , which is what we wanted to show. □ 


4.2 Leakage as Measure of Privacy and Hardness of Implementation 

The main results of this section are consequences of the Holevo bound ('Theorem 12.21) . 

Theorem 4.6. If a two-party strictly correct quantum protocol for Px,y does not leak then 
Px,y is a trivial primitive. 
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Proof. Theorem 14. 5 1 implies that if there is a 0-leaking embedding of Px.y then there is also 
a 0-leaking embedding of Px\y,y\x- Let us therefore assume that \ijj) is a non-leaking 
embedding of Px.y such that X = X \ Y and Y = Y \ X. We can write \if) in the 
form |t l>) = Yj X \J Px{x)\x)\<p x ) and get p B = Ex p x{x)\y x )(v x \. For the leakage of \i/j) 
we have: A^(P x .y) = S(X; B) — I{X ; Y) = S{p B ) — I(X\Y) = 0. From the Flolevo bound 
(Theorem [372]) follows that the states {|^x)}x form an orthonormal basis of their span (since 
X = X \ Y, they are all different) and that Y captures the result of a measurement in 
this basis, which therefore is the computational basis. Since Y = Y \ X, we get that for 
each x, there is a single y x € TV such that | ip x ) = \y x ). Primitives Px\y,y\x and Px.y are 
therefore trivial. □ 

In other words, the only primitives that two-party quantum protocols can implement 
strict-correctly (without the help of a trusted third party) without leakage are the trivial 
ones! We note also that strict correctness is not required for Theorem 14.61 to be true. A 
slightly more involved proof can be done solely based on the correct distribution of the output 
values. This result can be seen as a quantum extension of the corresponding characterization 
for the cryptographic power of classical protocols in the HBC model. Whereas classical two- 
party protocols cannot achieve anything non-trivial, their quantum counterparts necessarily 
leak information when they implement non-trivial primitives. 

4.3 Tripartite Embeddings 

In this section, we extend the notion of leakage to protocols involving a trusted third party. 
A special case of such protocols are the ones where the players are allowed one call to a 
black box who provides them with classical variables A, Y sampled according to distribution 
Px y- It is natural to ask which primitives Px.y can be implemented without leakage in 
this case. 

The state produced by purifying Alice’s and Bob’s actions in such a protocol up to the 
final measurement yielding X and Y can without loss of generality be viewed as a pure state 
shared among Alice, Bob and an environment \if) eaba'B' = E e V -PE(e)|e) B ® \^ e ) aba'B’ ■ 
We define tripartite embeddings of a primitive Px,y analogously to the case of embeddings: 

Definition 4.7. A state \ip) = Ee PE(e)\e) E ® aba'B' ® s a tripartite embedding of 
Px.y ) if measuring registers A and B in the computational basis yields X , Y with distribution 
Px.y and the ensemble paba'B' : = trg; satisfies S{X\YB') = S{XA'\Y ) = I(X-Y) . 

The generalization of the notion of leakage to tripartite embeddings is straightforward: 

Definition 4.8. Let \i/j) € 'He®'HabA'B' he a tripartite embedding of Px.y- We define the 
leakage of paba'B' '■= trg IV’XV’I viewed as an implementation of Px.y as 

A paba'b' (Px.y) := max {S(X; BB') - I{X ; Y ), S{AA'\ Y) - /(X; X)} . 

The leakage of a tripartite embedding is non-negative, for the same reason as in the 
bipartite case. However, it is not necessarily symmetric, for instance for the state \iP)eab = 
v/I73(|001) + 1110 ) + 1111)) which can be verified numerically. 

The following theorem shows that non-leaking embeddings of any given primitive have 
the property that Bob’s register B holding his dependent part Y \ X has to be classical if 
Alice honestly measures her register A in the computational basis to obtain X. An analogous 
statement holds with the roles of Alice and Bob exchanged. Intuitively, this means that Bob 
cannot learn more than Y ~\ X about Alice’s outcome X from a non-leaking embedding. 
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Theorem 4.9. Let \ip) £ He®Haba'B' be a non-leaking tripartite embedding of primitive 
Px,y, where Ha = H A ®H\±_ and Hb = H b <S)H b ± . Then, there exist unitary transforms 
U £ U(A) and V £ U(_B) such that the state \ifu,v) — {U ®> I A > <8> V ® IbOIV’} has the 
following property. Let Pxbb ± b i an< ^ Pay £ 4 ' be the states obtained when register A of 
tvEA , {\'f’u,v){' t Pu,v \) Is measured in the computational basis to obtain X, and register B of 
tr eb’{\ ipu,v){' l Pu,v\) Is measured in the computational basis to obtain Y. It then holds that 

PxBB^B' = ^Z p x,Y\x{x,y)\x)(x\ x <g> \y){y\ B <8 cr v ~ ±B/ 

and 

Paya ± a' = p x\y,y(x, y ) \x){x\ A <g> \y)(y\ Y ® t\x a , , 

for some set of density matrices {<J v } y in H B _l b , and {t 2 ’}^ in H A ± A ,. 

Proof. Let eaba'B' de a tripartite embedding of Px.y- 

IV>) = \! p E,x,Y,i,j{e, x , y, i,j)e ie{e ’ x ’ v ’ l ’ ]) \e, x, y, i,j) EABA , B , . 

e,x,y,i,j 

Let U and V be unitary transforms acting in Ha and Hb respectively and extracting each 
party’s dependent part (X \ Y and Y \ X respectively) in subregisters AC A and B C B 
respectively: 


U\x) A = I f(x)) A ® | (i x )Ax and V\v)b = I 9(v))b ® I v v)b± > 

for classical functions / and g providing the dependent parts X \ Y and Y \ X associated 
to X and Y respectively. For U and V to be unitary, we have that {p x \p x ') = 0 for all x ^ x' 
such that f(x) = f(x'), and that {v y \v y ') = 0 for all y ^ y' such that g(y) = g(y'). We 
define 

= (Is <8 U 0 1 A > 8 V 8 Ib'M 

= 5Z \/ p E,x,Y,i,j(e, x, y, i,j)e ze( - e ’ x ' VM) \e, f(x), g(y)) AB ® 

e,x,y,i,j 

\Px) A ±\ v v) B 1 - lb it) A'B' > 

where H AA ± = Ha and H BB ± = Hb- Re-writing |%))) in terms of the different values which 
X may take results in: 

$) = V p x(x)\x) A ®^2^Jp E j\x= x (e,i)\e,i) E A'\Ve,x,i) BB , 

x e,i 

=: T. V p x{x)\x) A ® \fx) A'EBB- L B' ■ 

X 

We can view the information provided to Bob about X as the information available about 
X when encoded by x H > p x where: 

Px = tlA'E (|Cx)(Cx|) = ^ ' P E,I\X=x (^) I Pe,i){Te,i I B B / ■ 
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By basic properties of the von Neumann entropy, we have that 

= S(X;BB x B')j 

>S(X;Y\XB ± B')j 

>I(X-Y\X). 

Suppose now that | ip) is non-leaking, that is S(X- 1 BB') = I(X\Y) = I(X;Y \ X). It 
follows that for non-leaking embeddings, all terms above are actually equal. 

By the Holevo bound (Theorem ^. 21) . we conclude that states in {p x } x are simultaneously 
diagonalizable. In other words, for all x , 

Px = Pz\X=x( z )\lz)( r )z\ BB ' : 

Z 

where{| 7 z )} z form an orthonormal basis for some subspace of Since S(X; BB’)^ = 

S(X] Y \ XB ± B')j > , we conclude that such a basis can be chosen to be the computational 
basis for the register B holding Y \ X: 

Pxbb ± b’ = ’ S ^ J Px{x)\x)(x\ x ® p x 

X 

= p x( x )\x)( x \x ® p z\x=x{z) \lz){lz\ B B> 

X Z 

= J2 p x{x)\x)(x\ x ®J2p Y ^ X \x=x{y) \y)(y\ B ® a §l B , 

x y 

= J2 Px x\x( x ’y)\ x )( x \x®\y)(y\B® aV §l B ’ ■ 

x,y 

We now observe that | ip) being non-leaking implies that &g± B , cannot depend on x. Other¬ 
wise, suppose that for some y there exist x ^ x' such that 7 ^ a ^l B i with Px,y\x(x. y) > 

0 and Px.y\x( x '■ y) > 0. After having measured y , Bob can apply an optimal measurement 

for distinguishing between c v ^± B , an d with some strictly positive bias allowing him 

to get more information than I(X;Y \ X) thereby implying that | ip) is leaking. It follows 
that 

Pxbb^b' p x,Y\x{x,y)\x)(x\ x <S> \yXy\ B <x v s±B , • 

x,y 

The same argument symmetrically applied to PXya^A' l ea, ds to 

Pay Ax a' = p *\y,y(x, y ) \x)(x\ A ® \y){y\ Y ® t\ ± a , ■ 


For the remainder of this section, we focus on primitives Px,y where each variable is 
equivalent to its dependent part: X = X \ Y and Y = Y \ X. For non-leaking tripartite 
embeddings of these primitives, we establish lower bounds on the conditional von Neumann 
entropy of the environment given each party’s quantum states. 
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In order to define what we mean by the entropy of the environment, we decompose any 
tripartite embedding \ijj) of Px,y in its Schmidt form with respect to the environment: 

I ^ EABA'B' = V^w\e w ) E <8> \lpw) ABA'B' ) 

w 

where {e w \e w ’) = (VvIVv) = d W}W >. Now, imagine the environment measures register E 
in the Schmidt basis {\e w ){e w \} w to get classical random outcome W such that Pr [W = 
w] = X w . Corollary 14.101 below shows that non-leaking tripartite embeddings of Px.y must 
satisfy S(W\AA') > H(Y\X) and S(W\B B') > H(X\Y). If the Schmidt decomposition 
is not unique, the result holds for a measurement in any Schmidt basis. Measurements in 
the Schmidt basis minimize the entropy of the outcome among any complete Von Neumann 
measurement applied to the state of the environment. Intuitively, 5(W| A A') measures the 
amount of shared entanglement between Alice and the environment (similarly, B B') 

is a measure for the shared entanglement between Bob and the environment). The more 
non-trivial a primitive gets, the more the environment has to be entangled with the players 
in order to preserve privacy. 

Corollary 4.10. Let \'4 , ) E aba'B' ^ e an y non-leaking tripartite embedding of Pxy where 
X = X \jY and Y = Y\,X. Let W be the random variable for the outcome of measuring 
the environment register E in a Schmidt basis. Then, 

S(W\AA') = S(W\ X A') > H(Y\ X) = H(Y \X\X\Y) and 
S{W | B B’) = S(W\ Y B') > H{X\ Y) = H{X \ Y\ Y \ X) . 


Proof. Let us write the non-leaking tripartite embedding as a function of Alice’s output 
X = x as follows 

VI’) ABE A' B' = VKWWa ® \J Py\X=x{v) \y) b ® K a’ V \ a ) A' ® V 1 ^ ) EB' > 

x y a 

( 12 ) 


where we assume without loss of generality that all n x a ' v are real (and possible complex 
phases are put into \p x ’ v,a )). We claim that k x,v = k x , i.e. the coefficients do not depend 
on y. To see this, let p x = Pr (A' = a\X = x) where A' denotes the classical outcome of 
measuring register A! in the computational basis. Suppose for a contradiction that there 
exists y such that \n x ' v \ 2 ^ p x : 


Pr (Y = y\X =x,A' = a) 


Pr (Y = y\X = x ) Pr (A' = a\X 
Pr (A' = a\X = x) 
Pv(Y = y\X = x)\K x ’ v \ 2 


^ Pr (V = y\X = x) , 


x,Y = y) 


which would contradict the fact that \if) is non-leaking. Hence, we can write | ijj) as 


I ^ABEA'B' — VPx{w)\x) A ^ Ka\ a )A'\v x,a ) BEB' 

x a 
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where 


\v x ' a )BEB> = E y/Pr\x=My) B \v x ’ v ' a ) 

y 

= E jpy\x=My) B E \^\<:n,: ® \bv v ’ a ) B ' > 

V i 

where in the last step, we wrote the bipartite states \/i x ’ y ’ a ) EB , in the Schmidt form. 
Theorem 14.91 establishes that if | iji) is non-leaking then 

teE{\v x ’ a )(v x,a \ BEB ’) = ^52 PY\x=x{y)\y)(y\ B ® a B' ■ 


(13) 


We claim that (fl3l) implies that the subspaces S x,v = spanjlle^’ 11 )^,} must be perpendicular 
for different values of y. Let q x := ^Py\x=x{y ) be used to shorten the notation. We have 


tr B (\ V x ' a )(v x ’ a \ beb>) = E«tr £ (\y)(y’\ B ® \n x ' v ' a )(n x ' v '’ a \ EB ) 

ViV' 

= E « ^ ( \yM\B ® E \e*’ y ’ a ){e x ’ y, ’ a \ E ® | 6 r y ’ a )(^’ y ' ° 




= EWWIb»^ E |e-’ y ’ a )(e-’ y 'i s ® Kn{b‘/- 

y,y’ \ i,j 

= E«WIb® 


y,y' 


E l x.y.a | I \ ^ | x,y,a\/ x.y'.a ^ \ix,y,a\/lX.y'.a \ \ x,y,a\ 

< e ft I E l e i )\ e l E ® l^i >\V B , K ) 




= E«i^Ib®E 


rc-w ,a 

V 


i ix,y, a \ ux,y 


|6f’"’“X 


(14) 




Clearly, if S* ,J ' _L is not satisfied then there exists i ^ j,y ^ y' such that (e^’ y ’°|e“’ y ’°) ^ 
0 and register 1? is not diagonal in the computational basis according unl¬ 
it follows that for X = x, any A' = a, and when Y = y is measured by Bob, the 
environment E ends up in subspace S x,v of E which corresponds to Y = y unambiguously. 
As W is the outcome of measuring E in the Schmidt basis, knowledge of W, X and A' 
determines Y. Formally, we have 0 < S(Y\WXA') < 5(y’|WA’A') = 0 and it follows that 

S(W\XA') = S(W\XA’) + S(Y\WXA') 

= S(WY\XA') 

> S{Y\XA!) [ ’ 

= H(Y\X) , 

where the inequality holds due to the classicality of W and the last step is due to strict 
correctness. 
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The same argument with the roles of Alice and Bob reversed results in: 


S(W\YB') > H(X\Y) . 


( 16 ) 


Equations m and (fTBl) establish the inequalities of the statement. 

To prove the statement’s equalities, consider Theorem 14.91 when Bob measures Y: 


PA'ay = Y Px x{ x ^V) t A' <g) \x,y)(x,y\ AY , 
which obviously means that 


x,y 


PA'A = Y Cy(x) t% <8 \x)(x\ a . 

X 

Alice’s register A is therefore diagonal in the computational basis. It follows that 

S{W\ A A') = S(W\XA') . 

A symmetric argument from (1161) shows that 

S(W\BB') = S(W\YB’) . 


□ 

Suppose Alice and Bob have access to an ideal functionality for Px,y as a cryptographic 
resource. What primitives can Alice and Bob implement without leakage given access to this 
resource? Is it possible for them to “promote” the ideal functionality for Px,y to a stronger 
cryptographic primitive? Before answering this question in the negative, let us define what 
we exactly mean by an ideal functionality for primitive Px,y ■ 

Definition 4.11. An ideal functionality ID(Px,y) for primitive Px.y is a box that pro¬ 
vides Alice and Bob with X and Y respectively and nothing more. In particular, the ideal 
functionality never provides extra working registers (otherwise, extra registers could with¬ 
out violating strict correctness provide additional cryptographic resources to Alice and Bob). 
More formally, 

|D (p x ,y) = Y Px x( x ’y)\ x )( x \A®\y)(y\B ■ 

The next theorem shows that one call to an ideal functionality is never sufficient for a 
non-leaking implementation of a stronger primitive. In other words, quantum communication 
and computation never allow to amplify an ideal classical two-party cryptographic primitive 
into a stronger one without leakage. 

Theorem 4.12. Let Px,y and Px',Y' be two primitives, where X = X \ X, Y = Y \ X, 
X' = X'\ Y', and Y' = Y' \ X'. Suppose that H{X'\ Y') > H{X\ Y) or H(Y'\ X') > 
H(Y\X). Then, any implementation of Px\Y' using just one call to the ideal functionality 
ID (Px.y) leaks information. 

Proof. We may view the ideal functionality ID(Px,y) as a box that conceals its environment 
to Alice and Bob. For instance, the state 

Weab = Y\J Px A>TY\ x ( x ’y)\ x ’y)E ® I x ,y)AB ■ 
x,y 
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is a non-leaking embedding of Px\y,y\X with S(W\A) = H(Y\X) and S(W\B) = 
H(X\Y ) where W is defined as above as the classical outcome when measuring the en¬ 
vironment in the Schmidt basis. 

Consider any strictly correct protocol implementing Px',Y' where Alice and Bob purify 
their actions but are otherwise honest. An execution of the protocol will produce a non¬ 
leaking tripartite embedding of Px'y ■ Just before the call to ID(P^ i y), Alice’s internal 
register Aq and Bob’s internal register Bq are such that 

S(W\ Ao) = S(W\ B 0 ) = 0 , 

since the environment is in a pure state. Just after the call to ID(Py,y-)> Alice’s register A\ 
and Bob’s register B\ satisfy: 

S(W | Ai) = H{Y\ X) and S(W| Pi) = H(X\ Y) , 

since A C Ai and B C B\. Notice also that the state provided to Alice and Bob by ID(Py,y) 
is diagonal in the computational basis: the information is classical. It follows that Alice and 
Bob can copy this information and keep it with them during the execution of the protocol 
while remaining able to run the protocol in a honest-but-curious fashion. The Schmidt basis 
for the environment remains the same after the call to ID(Px,y). It follows that at any 
point t in the protocol evolution, Alice’s and Bob’s internal quantum registers A t and B t 
respectively are such that: 

S(W | A t ) < H(Y\ X) and S(W| B t ) < H(X\ Y) . (17) 

That is, S(W\A t ) and S(W\B t ) are non-increasing monotones for honest-but-curious quan¬ 
tum players in secure two-party computation similar to H(Y\ X) and H(X\ Y) in the clas¬ 
sical case |WW04j . 

At the very last step f max of the protocol, := A® A' and B tma := B® B'. Therefore, 

S(W\ A A') < H(Y\ X) and S(W\ B B') < H{X\ Y) . 

Since H{Y\X) < H(Y'\X') or H(X\Y) < H(X'\ Y'), we conclude that either S^ITI A A') < 
H(Y '| X') or S'(IT| B B') < H(X'\ Y'). It follows by Corollary 14.101 that the implementation 
of Px',Y' must leak. □ 

As in the classical case [WW04| , it is straightforward to use Theorem 14.121 in order to 
determine a lower bound on the number of calls to a weaker primitive required to implement 
a stronger one without leakage: Px 1 ,Y' can be implemented without leakage by n calls to 
P x ,y only if H(X'\ Y') < nH(X\ Y) and H(Y'\ X') < nH(Y\ X). 

4.4 Reducibility of Primitives and Their Leakage 

This section is concerned with the following question: Given two primitives Px.y and Py y 
such that Px,y is reducible to Py y, what is the relationship between the leakage of Px,y 
and the leakage of Py A? We use the notion of reducibility in the following sense: We say 
that a primitive Px,y is reducible in the HBC model to a primitive Py y if Px,y can be 
securely implemented in the HBC model from (one call to) a secure implementation of 
Py y. The above question can also be generalized to the case where Px,y can be computed 
from Py y only with certain probability. Notice that the answer, even if we assume perfect 
reducibility, is not captured in our previous result from Lemma 14.31 since an embedding 
of Py y is not necessarily an embedding of Px,y (it might violate the strict correctness 
condition). However, under certain circumstances, we can show that Z\p^ > Ap X Y . 
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Theorem 4.13. Assume that primitives Px,y and Pj^y ~ p x 0 x x y, s y, satisfy the condi¬ 
tion: 

y p x x y x iy) - t ^ 

X ’y- P X 0 ,Y 0 \X 1 = x,Yl=y- Px ’ Y 

where the relation ~ means that the two distributions are equal up to relabeling of the al¬ 
phabet. Then, Ap x 9 > (1 — S)Ap XY . 

Proof. State \ip) a 0 a 1 b 0 b 1 ^ ^( P x y) can be written in the form: 


IV>)= ^ P xS X )\ X ) aM X ) A 0 B 

x£X[ 


where each \ip x ) is a regular embedding of Px 0 y 0 Yi\Xi=x- Due to the Holevo bound (Theo¬ 
rem [T2|), we have 

S(Y\A)^ = S{Y\A 0 A{)^ < 5(T|Zl 0 , X^ = ^ P Ri {x)S(Y\A 0 , X x = x)^ , 

X 

and we obtain for the leakage of \if) that 

A^ y) = H(Y\X) - S(J\A)^ 

> H{Y\X) -YjPxMSV 14 ),*! = *)*- 

X 

= 55 p x x (x)(H(Y\X 0 , X 1 =x)~ SWAo,*! = *)*.) 

X 

~ 55 P Xi ( X )^ x ( P Xq,YoYi\Xi=x) ' 


By applying the same argument to each \ip x ), we obtain that 

Ai>{Pjt,Y ) ^ 55 P X, .Y, ( x >y)Ai/>*’v(Px n _y n IXi=x.Yi=v) > ( 18 ) 

xy 


where each \ip x ’ v ) is a regular embedding of P^ q i> 0 i x 1=x y- 1=2/ - For each (x,y) such that 
P x 0 ,Yo\x 1 =x,Yi=y ~ PxY is satisfied, we get that 


Since J2 x .y.p. 


x o . Vo I x i =x > Y i =y 


A^.v{Px o y o \Xi =x y x=y ) — ^ P X,Y ' 

~ Px Y Px 1 .y 1 ( x > 2/) > 1 — <5, we get from (fl8l) that 


M P x,y) > (1 -S)P X ,Y- 


□ 

Theorem 14.131 will allow to derive a lower bound on the leakage of l-out-of-2 Oblivious 
Transfer of r-bit strings in Section [5] 
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5 The Leakage of Universal Cryptographic Primitives 


In this section, we exhibit lower bounds on the leakage of the following universal two-party 
primitives. 


String Rabin OT (ROT r ): [Rab81l Alice sends a random string of r bits to Bob who 
receives it with probability 1/2, otherwise he receives a special symbol _L. Alice does not 
learn any information about whether Bob has received the string she sent. 

For x G {0,1 } r and y G {0, l} r U {_L}: 


PTy^v) 


2 r 1 if x = y or y = _L, 
0 otherwise, 


is the joint probability distribution associated to an execution of Rabin OT of a random 
binary string of length r. 

One-out-of-two String OT ( l-2-OT 7 ): |Wie83IEGL82l Alice sends two random r-bit 
strings to Bob who decides which of them he receives. Bob does not learn any informa¬ 
tion about the other one of Alice’s strings and Alice does not learn which of the strings 
has been received by Bob. We simply write 1-2-OT for the case of l-out-of-2 oblivious 
transfer of bits (r = 1). 

For xq, x\, y G {0, l} r and c G {0,1}: 


Px’xd^xi ),{c,y)) 


2 2r 1 if y = x c , 
0 otherwise, 


is the joint probability distribution associated to an execution of one-out-of-two r-bit 
string OT upon random inputs. 

Additive sharing of AND (sand): IPR94j Alice and Bob choose their respective input 
bits x and y. and receive the output bits a resp. b such that a (B b = x A y and Pr[a = 
0] = 1/2. They do not get any other information. 

For x, y, a, b G {0,1}: 


p x,Y((x,a),(y,b)) 


| if xy = a © 6, 
0 otherwise, 


is the joint probability distribution associated to the generation of an additive sharing 
for the and of two random bits. 

Noisy one-out-of-two OT (l-2-OT p ): Alice sends two bits to Bob who decides which of 
them he wants to receive. The selected bit is transmitted to him over a noisy channel 
with noise rate p. Bob does not learn any information about the other one of Alice’s 
bits and Alice does not learn any information about Bob’s selection bit. 

For xq, Xi, y, c G {0,1} and p G (0,1/2): 


p x*y(( x o>xi)> (c,2/)) 


^ if V = %c, 

| otherwise, 


is the joint probability distribution associated to an execution of one-out-of-two OT 
where the selected bit is received through a binary symmetric channel with error rate p. 
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primitive 

leaking at least 

comments 

ROT 1 

(Kk)~ 5 )® 0.311 

same leakage for all regular embeddings 

ROT r 

(1 — 0(r2~ r )) 

same leakage for all regular embeddings 

1 - 2 -ot, sand 

1 

2 

minimized by canonical embedding 

l-2-OT r 

(1 — 0(r2~ T )) 

(suboptimal) lower bound 

1-2-OTp 

(l/2-p-^/p(l— p))' 4 

8 In 2 

if p < sin 2 ( 77 / 8 ) « 0.15, (suboptimal) lower bound 


Table 1. Lower bounds on the leakage for universal two-party primitives 


Table [1] summarizes the lower bounds on the leakage of these primitives (the derivations 
can be found in Appendix ® • We note that Wolf and Wullschleger [ WW05b : have shown 
that a randomized 1-2-OT can be transformed by local operations into an additive sharing 
of an AND (here called sand). Therefore, our results for 1-2-OT below also apply to SAND. 

l-2-OT r and l-2-OT p are primitives where the direct evaluation of the leakage for a gen¬ 
eral embedding \ifjg) is hard, because the number of possible phases increases exponentially 
in the number of qubits. Instead of computing S(A) directly, we derive (suboptimal) lower 
bounds on the leakage. 

For the primitive Px F y> our lower bound on the leakage only holds for p < sin 2 ( 71 -/ 8 ) ~ 
0.15. Notice that in reality, the leakage is strictly positive for any embedding of P'x'y with 
p < 1/4, since for p < 1/4, P^y i s a non-trivial primitive. On the other hand, P'x'y is a 
trivial primitive implemented securely by the following protocol in the classical HBC model: 

1. Alice chooses randomly between her input bits Xq and X\ and sends the chosen value x a 
to Bob. 

2. Bob chooses his selection bit c uniformly at random and sets y := x a . 

Equality x c = y is satisfied if either a = c, which happens with probability 1/2, or if a ^ c 
and x a = Xi- a , which happens with probability 1/4. Since the two events are disjoint, it 
follows that x c = y with probability 3/4 and that the protocol implements The 

implementation is clearly secure against honest-but-curious Alice, since she does not receive 
any message from Bob. It is also secure against Bob, since he receives only one bit from Alice. 
By letting Alice randomize the value of the bit she is sending, the players can implement 
P°x P y securely for any value 1/4 < p < 1/2. 

6 Conclusion and Open Problems 

We have provided a quantitative extension of qualitative impossibility results for two-party 
quantum cryptography. All non-trivial classical primitives leak information when imple¬ 
mented by quantum protocols. Notice that demanding a protocol to be non-leaking does 
in general not imply the privacy of the players’ outputs. For instance, consider a proto¬ 
col implementing 1-2-OT but allowing a curious receiver with probability i to learn both 
bits simultaneously or with probability i to learn nothing about them. Such a protocol 
for 1-2-OT would be non-leaking but nevertheless insecure. Consequently, Theorem 14.61 not 
only tells us that any quantum protocol implementing a non-trivial primitive must be in¬ 
secure, but also that a privacy breach will reveal itself as leakage. Our framework allows 
to quantify the leakage of any two-party quantum protocol strict-correctly implementing a 
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primitive. Our impossibility results are different than common ones since they only rely on 
the strict correctness of the protocol, not on the perfect privacy of a protocol against one 
party . Moreover, the generic attack that allows to show leakage is simply implemented by 
purifying the parties’ actions. Furthermore, we present lower bounds on the leakage of some 
strictly correct universal two-party primitives. 

A natural open question is to find a way to identify good embeddings for a given primitive. 
Based on the examples of ROT r and 1-2-OT, it is tempting to conjecture the following. 

Conjecture 6.1. The leakage of any primitive Px,y is minimized by its canonical embedding. 

The conjecture agrees with the geometric intuition that the minimal pairwise distinguisha- 
bility of quantum states in a mixture minimizes the von Neumann entropy of the mixture. 
However, Jozsa and Schlienz have shown that this intuition is sometimes incorrect |JS00| . 
In a quantum system of dimension at least three, we can have the following situation: For 
two sets of pure states {|ui}}” =1 and {|uj}}" =1 satisfying \(in\uj)\ < |(wj|i>j)| for all i,j, there 
exist probabilities pt such that for p u := Pi\ui)(ui\, p v '■= ^ holds that 

S(p u ) < S(p v ). As we can see, although each pair \ui), \uj } is more distinguishable than 
the corresponding pair \vi), \vj), the overall p u provides us with less uncertainty than p v . It 
follows that although for the canonical embedding |^ 0 ) = J2 y Wy)\y) of Px,y the mutual 
overlaps \(<f y \ l p y , )\ are clearly maximized, it does not necessarily imply that 5(A) in this 
case is minimal over £(Px,y). It is an interesting open question to find a primitive whose 
canonical embedding does not minimize the leakage or to prove that no such primitive exists. 
In particular, how far can the leakage of the canonical embedding be from the best one? 
Such a characterization, even if only applicable to special primitives, would allow to lower 
bound their leakage and would also help to understand the power of two-party quantum 
cryptography in a more concise way. 

A very natural generalization of our approach would be to see what happens when strict 
correctness is relaxed. 

Conjecture 6.2. Any correct protocol for Px,y leaks as much as a strictly correct protocol 
for P X .Y- 

The most obvious relaxation would be to consider as correct any | ip) £ Bab ® Ba'B' 
that produces ( x,y) with probability Px,y{x,u) when registers A and B are measured but 
registers A' and B' can provide extra information about Y and X respectively. Remember 
that this is equivalent to allowing for the quantum Markov chain conditions A' f) I f> F 
and B' •£>• Y <£>• X not to hold anymore. Would it be possible to find such a | ip) with the 
property that for any regular embedding \<j>) £ £(Px,y)- 

Aip(Px,y) < A<p(Px,y) ? 

A positive answer would reveal that some primitive Px,y may be implemented with mini¬ 
mum leakage when viewed as a marginal in some larger probability distribution Pxx'.yy'■ 
A negative answer would rather show that all our results hold unaffected for the standard 
notion of correctness. Note however that the leakage is no more symmetric for the standard 
notion of correctness. 

It would also be interesting to find a measure of cryptographic non-triviality for two- 
party primitives and see how it relates to the minimum leakage of any implementation by 
quantum protocols. For instance, is it true that quantum protocols for primitive Px,y leak 
more if the distance between Px,y and any trivial primitive increases? 
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Another question we leave for future research is to define and investigate other notions 
of leakage, e.g. in the one-shot setting instead of in the asymptotic regime (as outlined 
in Footnote m■ Results in the one-shot setting have already been established for data 
compression |RW05j . channel capacities 1RWW06I , state-merging jWR07IBcr08] and other 
(quantum-) information-theoretic tasks. 

Furthermore, it would be interesting to find more applications for the concept of leakage, 
considered also for protocols using an environment as a trusted third party. In this direction, 
we have shown in Theorem 14.121 that any two-party quantum protocol for a given primitive, 
using a black box for an “easier” primitive, leaks information. Lower-bounding this leakage 
is an interesting open question. We might also ask how many copies of the “easier” primitive 
are needed to implement the “harder” primitive by a quantum protocol, which would give 
us an alternative measure of non-triviality for two-party primitives. 

The approach used in this paper cannot easily be applied to cryptographic primitives 
modeled by unitary transforms. Our approach is specialized to deal with classical primitives. 
It is an open question to determine the leakage of protocols implementing some unitary 
primitive. The few impossibility proofs for unitary primitives that we are aware of simply 
establish that perfect privacy cannot be achieved. For example, it is shown in [DNS 101 
that quantum SWAP is impossible (in fact, any unitary that never allows any of the party 
to recover their input state). It would be very interesting to investigate the landscape of 
possibilities and impossibilities for unitary primitives and see how it relates to the one for 
classical primitives. These two worlds might be very different^- 
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A Leakage of Universal Primitives 

A.l Exact calculations 

First, we look at the leakage of the embeddings of Rabin String OT (rot 1 "). 
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Theorem A.l. Any embedding of Px T y ® s a t least (1 — 0(r2 r ))-leaking. For r = 1 any 
embedding is at least — ^) « 0.311 -leaking. Furthermore, the leakage is the same for 
all embeddings of P^ Y . 

Proof. Let 


W = -^r E e ie{x ’ x) \xx) + -kr E eW(x ’- L) l*) Jl-L), 

xG{0,l} r ^~ T ' \xG{0,l} r / 

where _L denotes an erasure, be a general form of an embedding of P'^'y. 

Define | <p) := 2772 X^eto i} r P‘ e< ' x ' 1 ~' > \x). If Bob receives the value of Alice’s string suc¬ 
cessfully, Alice gets an ensemble p° = ^ X^g{o ur |a;)(a;|. If an erasure occurs on Bob’s side, 
Alice gets p 1 = |<pX<p|- We find 5(A) by computing the eigenvalues of pa ■= '-( p 0 + p 1 ). 

Since p° = A. I a, |u) is an eigenvector of pa if and only if it is an eigenvector of p 1 . If |u) 
is an eigenvector of p 1 then either a) |u) = e l0 \ <p) or b) (v\tp) = 0. If a) is the case, then 

Pa\v) = \{p°\v) + pV)) = \ ^ k), 


whereas in the case b), 

Pa\v) = i(p°|t>) + p») = ■ 

The state pa has eigenvalues {\+ %^fr, ^tt}, where has multiplicity 2 r — 1 . 5(A) can 
then be computed as follows: 


5(A) 



+ ) lo S (2 + 2^+i) + ~¥+ r ^ + ^ 

1 \ / 1 r + 1 r + 1 
2 r + 1 ) V In 2 • 2 r °\2 r JJ + 2 2 r+1 


2 +1 ~° 



Since J(A; Y) = |, for the leakage we get: 

^p(Pxy) = S(A) - I(X-Y) = 1 - O (£) • 


As we can see, the leakage does not depend on the phase-function 0. 


□ 


In the following theorem we minimize the leakage of an embedding of P'ff Y . 

Theorem A.2. Any \ip) 6 £{Pff Y ) is at least y- leaking. The leakage is minimized by the 
canonical embedding. 


Proof. Let 

IV>) = E e ie ^ c ^\x oXl )\cx c ) 

xo,xi,c£{0,l} 

be a regular embedding of Pfly Without loss of generality assume that 0(00,00) = 0. 
Notice that for the local phase-changing transformations 

U A := 100X001 + exp(*0(Ol, 00))|0lX01| + exp(i(0(lO, 10) - 0(00,10)))|10X10| 

+ exp(*(0(lO, 10) + 0(11,01) - 0(00,10) - 0(10,01)))|11)(11|, 

U B := 100X001 + exp(i(0(OO, 10) + 0(10,01) - 0(10,10)))|01)(01| 

+ exp(*0(OO, 10))|10)(10| + exp(i(0(Ol, 11) - 0(01,00)))|11)(11|, 
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we get 


u A ® = W ) = |(|0+)|00) + |1+)|01) + |+0)|10) + |0)+ ^ |1) |1)|11)), 

where w = 0(00,10) + 0(01,00) + 0(10,01) + 0(11,11) - 0(01,01) - 0(10,10) - 0(11,01). 

Let A' denote Alice’s quantum system for Alice and Bob sharing Since S(A) = 
S(A'), we can minimize S(A') in order to minimize S(A). Assume that Alice and Bob share 
For Bob’s selection bit c = 0, Alice gets an ensemble po = ^(|0+)(0+| + |1+)(1+|), 
whereas for c = 1, she gets pi = ^(|+0)(+0| + (|01) + e lw |ll))((01| + e _IUJ (ll|)), where 
PA' = \{po + pi). By solving the characteristic equation of pA' we get the set of eigenvalues 
(1(1 ± cos j), \(1 ± sin ^)}. 5'(A') can then be expressed as follows: 


h ( l~cos(^/4) \ , h( 

S(A') = 1 + --^ 


1—sin(cL>/4)' 
2 


By computing the second derivative of f(x) = h( we get that f"(x) < 0 in [0,1], 
implying that / is concave in [0,1]. For a £ [0,1], Jensen’s inequality yields AOHA 1 ) < 
/(a), and therefore, AO+A 1 ) < Consequently, the minimum of h( 1 ~ co ^/ 4 l ) + 

h(— = /(cos 2 j) + /(sin 2 j) is achieved for uj = 0 and in this case, S(A') = |. 

Finally, we can conclude that the leakage is minimal for the canonical embedding and 
A/,(Px,y) = S(A) - I(X ; Y) = S(A') - I(X; Y) > § - 1 = §. □ 


There is also a more direct way to interpret this quantity in the case of the canonical 
embedding \ipo) f° r P x y : F Alice and Bob share a single copy of \ipo) then there exist 
POVMs for both of them which reveal Bob’s selection bit to Alice, and the XOR of Alice’s 
bits to Bob, both with probability Let l^) = -^=(|00) ± 111)), \ l P ± ) = ^=(|01) ± 110)) 
denote the Bell states, and |±) := ^(|0) ± |1)). Observe that the canonical embedding |^ 0 ) 
of P'x Y can be expressed as follows: 


ItM = 2 ^ ) 


\<P~) - \$~) 1 , . 

L ^- J - + 2 ^A 


|8>+ > a 1 * +) + Ai++>i+ + >. 

V2 y/2 


In order to get the value Xq ® x\ of Alice’s bits Xq and x±, Bob can use POVM B = 
{B 0 , B 1; B?} where B 0 := §(| W~) - |^~))((tf / "| - (<Z>"|), Bi := §(| <P+) - |<2> + ))((3 /+ | - (<f>+|), 
and B? := |++)(++|- It is easy to verify that Bob gets outcome B = for z £ {0,1} (in 
which case xq © xi = z with certainty) with probability Alice’s POVM can be defined 
as A = {Aq, Ai, A?} where Ao := |—1-)(—j-|, Ai := |H—)(H—|, and A? : = I 2 — Ao — Ai. 
By inspection we easily find that the probability for Alice to get Bob’s selection bit is 
1 — tr((A? <g) I 2 )|"00Xv^o|) = For any regular embedding of p x Y we can construct similar 
POVMs revealing the XOR of Alice’s bits to Bob and Bob’s selection bit to Alice with 
probability strictly more than {. 


A.2 Lower Bounds 

Theorem A.3. Any embedding \ip) of P^fy is (1 — 0{r2~ r ))-leaking. 
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Proof. We use Theorem 14.131 to show that any (regular) embedding of Pffy leaks at least 
as much as some regular embedding of P'^'y. Let (A 0 , Ai) and B denote Alice’s and Bob’s 
respective registers. Then |V’)a 0 AiB ^ can be written in the form: 

xe{o,i } r 


where each 




i 

2 (r-+l)/2 


^2 (e ie ^’ x ’ 0) \x') Ao \0,x') B 

x'e{o,i} r 


_|_ e «0(x',x, 1) 



can be viewed as a regular embedding of P^y■ According to Theorem l4.13l and Theorem lA.il 
we get that 

Apo-r^ > ApROT^ = 1 — 0{r/2 r ). 

□ 

Theorem A.4. If p < | — A_= ~ 0.1464 t/ien A p ot p > 

Proof. Before starting with the actual proof, we formulate a useful statement, relating two 
measures of uncertainty of a quantum ensemble. 

Theorem A.5 (Average Encoding Theorem |KNTsZ01| '). Let E denote a quantum 
system storing the quantum part of a cq-state pxe = XX e* -Px’( a; )l a: X a; l ® P%- Then 


J2Px(x)\\ P e ~ P X E \\i < V2(ln2 )S(X;E). 

X 

In order to prove Theorem I A. 41 we first notice that for any regular embedding of Px,y 0 y 1 
such that F 0 and Y\ are independent, it holds that 


S(A; YqYi) > S{A- Y 0 ) + S{A ; W). 


(19) 


We can write 

S(A; F 0 ) + S(A; W) = H(Y 0 ) + H(Y 1 ) - S(Y 0 \A) - 5(Fi|A) 

= if(F 0 *i) - S(Y 0 \A) - 5(Fi|A) 

< HiYoYi) - 5(Yo*i|A) = S(A; FoW), 

which proves Inequality (fTUl) . 

Let X. Fq, Fj be random variables corresponding to Alice’s pair of bits, Bob’s selection 
bit, and its value, respectively. For P°x P Y we have that I(X;Y 0 Yi) = 1 — h(p). As the selection 
bit Fo and the value Y\ are independent, we can use m to lower bound S(A; Y 0 Yi) as follows 

S{A- F 0 Fi) > S(A; F 0 ) + S(A; Y{) > S(A ; F 0 ) + (1 - h{p)). 

Hence, for computing the lower bound on ^(AjFoFi), we only need to compute the lower 
bound on 5(A;lo). A state \i/j) £ £{P°x P Y ) can be written as 

IX) = 4(l^o) ASl |0) Bo + \^) ABl \i) Ba ). 
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Let p° A := tvB 1 IV’oXV’ol and p\ := tr b x \ipi)(ipi\- By applying Theorem IA.5I from above, 
we get that 


and therefore, 


\\Pa-Pa\\i< V8(ln2)S(A-Y 0 ), 
\\P°A-&\\l 


8 In 2 


<S(A-Y 0 ). 


( 20 ) 


The trace norm of p\ — p\ yields an upper bound on the entries of the matrix: 

\(pA~PA)ij\ < \\Pa-Pa\U- (21) 

We can write the state lib) in the form: 


= \ \v vo ' vl )AlyviVi) 


BqBi 5 


y o,yi 


where 


l<P0, y) = \ 



* 2 x=0 

Wl,y) = \ 

/ l ~ P y^ e i8(x,y,l,y) 

^ x=0 


x—0 


x=0 


fBoB!- 


By evaluating the individual matrix entries of ( p°, — p\) we get a simple lower bound on 
\{pa - Pa)h I for 0,..., 3}: 


\(p°A-PAh\> 


1-2 p v 7 (1 ~P)P 


( 22 ) 


hence, from (HHI) follows that 


\\p°a-Pa\\i> 


1-2 p \/ (1 -p)p 


yielding due to (fl9l) and (l20l) that 


S(A; Y 0 Yi) > 1 - h(p) + S(A; F 0 ) > 1 - h(p ) + 


(1/2-p - \/(l -p)p) 2 
32 In 2 


The lower-bound is non-trivial if 1/2 — p— \/(l — p)p > 0, which is true for p < \ 


The results yields the following lower-bound on the leakage of P- 

\2 


p . 

X,Y ‘ 


A „OTp > 

r X,Y 


(1/2 -p - s/{l -p)p) 2 


32 In 2 

However, this lower-bound is very loose, since for p = 0 we get that 

1 


Ap°f ^ 


“ 128 In 2 

which is much weaker than the optimal 


0 . 011 , 


1 


iD OT ^ — 
xv ~ 2 


l 

2v / 2 * 


□ 
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It remains to mention that by using more careful analysis of the phases of \fo. y ) and 
|v?i, 2 /), the lower bound on the absolute value of the outside-diagonal entries from (l22l) can be 
improved, yielding a non-trivial lower bound on the leakage for p > 0.1464 and eventually, 
even for any p < 1/4. 


38 


